Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

JSA Component Types

 

Each JSA appliance that is added to the deployment has configurable components that specify the way that the managed host behaves in JSA.

Figure 1: JSA Event and Flow Components
JSA Event and
Flow Components

JSA Console

The JSA console provides the JSA product interface, real-time event and flow views, reports, offenses, asset information, and administrative functions. In distributed environments, the JSA console is used to manage the other components in the deployment.

Event Collector

The Event Collector collects events from local and remote log sources, and normalizes the raw event data so that it can be used by JSA. To conserve system resources, the Event Collector bundles identical events together and sends the data to the Event Processor.

Event Processor

The Event Processor processes events that are collected from one or more Event Collector components. If events are matched to the custom rules that are defined on the Console, the Event Processor follows the action that is defined in the rule response.

Each Event Processor has local storage. Event data is stored on the processor, or it can be stored on a Data Node.

JSA Flow Processor

JSA flow processor collects network flows from devices on your network. Live and recorded feeds are included, such as network taps, span ports, NetFlow, and JSA flow logs.

Note

Log Manager doesn't support flow collection.

Flow Processor

The Flow Processor processes flows from one or more JSA flow processor appliances. The Flow Processor appliance can also collect external network flows such as NetFlow, J-Flow, and sFlow directly from routers in your network.

Flow Processors include an on-board processor and internal storage for flow data.

Data Node

The Data Node receives security events and flows from event and flow processors, and stores the data to disk.

The Data Node is always connected to either an Event Processor or a Flow Processor.

Off-site Source and Target Appliances

An off-site appliance is a JSA appliance that is not part of the deployment that is monitored by the JSA console.

An off-site source appliance forwards normalized data to an Event Collector. You can configure an off-site source to encrypt the data before forwarding.

An off-site target appliance receives normalized event or flow data from any Event Collector, or any processor in your deployment.

Later versions of JSA systems can receive data from earlier versions of JSA systems, but earlier versions can't receive data from later versions. To avoid problems, upgrade all receivers before you upgrade senders.